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What's “Strategy” here? 


e Steps you can take 

e Moximise benefit and 
minimise risk 

១ In the short, medium and 





long term 








Use OSS 


No OSS 





OSS Impact on Innovation 
McKinsey, 2021 





O'Reilly Media, 2021 


£65 to €99 billion 


OSS contribution to EU GDP 


Open Forum Europe, 2021 





Nagle, 2018 
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Releasing Open >0U 











| SP, Matt Massicotte 
m @mattie 


Every project has some absolutely fantastic code in a folder 
called "Utility" that should be open sourced. 







7:54 am - 11/3/2022 - Twitter Web App 


https://twitter.com/mattie/status/1502025076681719808 


Why release” 





You can galn more 
than you give 
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Release the Utility STUTT 
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Reuse the utility stuff 






Do more creotive arä 











A veneficial cycle 
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Software supply Chair 
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PyPI 


requests ១2271 - 





Overview 










Dependencies Dependents Compare Versions 





Dependencies 


Direct 


Indirect 


View all dependencies 


Dependents 






Direct 38701 


28908 





Indirect 


View dependents 


Lodi 
Source: deps.dev 
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EN John Hammond 
Ég @ohnHammond 


aaaaand then code execution?? #log4j #minecraft 


9:39 PM - Dec 10, 2021 - Twitter Web App 


https://twitter.com/_JohnHammond/status/1469255402290401285 
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APPLICATION SECURITY | VULNERABILITIES 





Alert: peacenotwar module sabotages npm 
developers in the node-ipc package to protest the 
invasion of Ukraine 





iran Tal 





e 


On March 15, 2022, users of the popular Vue.js frontend JavaScript framework started experiencing 









what can only be described as a supply chain attack impacting the npm em. This was the 





cosys 
result of the nested dependencies and being sabotaged as an act of 





protest by the maintainer of the package. 


This security incident involves destructive acts of corrupting files on disk by one maintainer and their 













attempts to hide and restate that deliberate sabotage in different forms. While this is an attack with 
protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive 


dependencies in your code can have a huge impact on your security. 


Snyk is tracking the security incidents that are portrayed in this article via the following CVEs: CVE- 
2022-23812 for and SNYK-JS-PEACENOTWAR-2426724 for 
npm modules. If you are already using Snyk for open source security and suy 


and 








ly chain 


security, you will be getting notifications, alerts, and automated pull requests raised by the tooling to 

















Unity Hub Release 
Notes 


3.1.1 


Mar 16, 2022 
HotFix 


* This HotFix eliminates an issue where a 3rd party library was 
able to create an empty text file on the desktop of people 
using this release version. While it was a nuisance, the issue 
did not include malicious functionality. Any user that had this 
file appear on their desktop after updating the Unity Hub can 





delete this file. 
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The full lifecycle of a vulnerability 


undetected vulnerability == alerting users to upgrade 
mm fixing known vulnerability == users upgrading to fix version 


median 





e 50 100 150 290 250 


weeks 


Source: GitHub Octoverse 2020 Security Report 





Inis IS all SoftWare 








b 1. Know your open 


source supply chain 





2. Maintain your open 
source supply chain 


3. Repeat 
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` MonoBleedingEdge | MIT X11 License 












































7-Zip Command line version | GPL 2 smol-v | Public Domain 
FMOD. Copyright (c) Firelight Technologies Pty, Ltd. Copyright (c) 2016 Aras Pranckevicius. NDecompiler | MIT License 
Copyright (c) 2010-2014 AlphaSierraPapa, Xamarin 
ogg | BSD 3-Clause License DirectXTex | MIT License 
Copyright (c) 2002, Xiph.org Foundation Copyright (c) Microsoft Corporation. All rights reserved. Nunit | MIT License 
Copyright (c) 2016 Charlie Poole, 2018 Charlie Poole, Rob Prouse 
Lame | LGPL 2.1 Emscripten | MIT License 
Copyright (c) 1999 Mark Taylor Copyright (c) 2010-2021 Emscripten authors Open Image Denoise | Apache License 
Copyright 2009-2019 Intel Corporation 
| Copyright (c) 2002, Xiph.org Foundation Enlighten. Copyright (c) 2014 Geomerics Ltd. 
| OpenSSL | The OpenSSL toolkit stays under a dual license, i.e., both the 
| libvorbis | BSD 3-Clause License Autodesk FBX SDK. Copyright (c) 2019 Autodesk, Inc. All rights re conditions of the OpenSSL License and the Original SSLeay license apply to the 
| Copyright (c) 2002-2009 Xiph.org Foundation the FBX SDK requires agreeing to and complying with the FBX SDK L toolkit, See below for the actual license texts. Actually both licenses are 
Service Agreement terms accessed at https://unity3d.com/legal/aut BSD-style Open Source licenses. In case of any license issues related to 
MaxRectsBinPack | Public Domain by Jukka Jylänki OpenSSL please contact openssl-coregopenssl.org. 
FMOD | Copyright (c), Firelight Technologies Pty, Ltd. 2004-2014. This product includes cryptographic software written by Eric Young 
Copyright (c) 2006-2009 Erin Catto http://www.box2d.org (eay@cryptsoft. com). 
Freelmage open source image library | FreeImage Public License, v 
| CUDA | Copyright NVIDIA Corporation. Copyright (c) 2003-2008 Freelmage (freeimage.sourceforge.net). ^ OptiX | Copyright NVIDIA Corporation. 
All rights reserved. Use of the CUDA SDK requires agreei 
with the NVIDIA Software EULA terms accessed via JsonSchema Validator | Newtonsoft Commercial License (http://www. All rights reserved. Use of the OptiX SDK requires agreeing to and complying 
http: //developer.download.nvidia.com/compute/cuda/9.0/Pr store/license) with the NVIDIA Software Developer Kits, Samples and Tools License Agreement 
pdf (Accessing the EULA requires joining the NVIDIA Dev terms accessed via the NVIDIA Developer Program (which requires NVIDIA 
https://developer.nvidia.com/programs/gamedev/register.) MipmapGenerationTool Developer registration at https://developer.nvidia. com/designworks/optix/ 
Mip map generation shader algorithm inspired by Microsoft's minie download) via https://developer.download.nvidia.com/designworks/ 
Clipper Library | Boost Software License including new features such as support for texture array and 3d v DesignWorks SDKs Samples Tools License distrib use rights 2017 06 13.pdf? 
Copyright © 2010-2014 Angus Johnson. mip map generation. yRKAeNNnb7uHny610Wsw vaTGPUUSzhH2uOHeM7 L-MAnlKY5w 0JBwRbchDHnl4uiCf9e ZvIjjBPRtZ 
nAHpLg1HZUSfJEUIKKk DRmXOK, pMomu-4XeE2PvPMGT15djvz5S5Oy2R-FK9vH3241V, 78v6uDKksYj 
brotli.js | MIT License Microsoft GenerateMipsCS: pxi9jnx77X35nk] S W3rCpWWBfPvxVwfWuS. You are required to notify NVIDIA prior 
Copyright (c) Devon Govett. https://github. com/microsoft/DirectX-Graphics-Samples/blob/master to use of the NVIDIA Optix Software in a commercial application (including a 
Core/Shaders/GenerateMipsCS.hlsli plug-in to a commercial application) by visiting https://developer.nvidia.com/ 
brotli | MIT License MIT License sw-notification and submitting the web form requested information. 
Copyright (c) 2009, 2010, 2013-2016 by the Brotli Author 
Mongoose. Copyright (c) 2013-2015 Cesanta Software Limited. PhysX SDK. Copyright (c) 2002-2016 NVIDIA Corporation. ALL rights reserved. 
Pako zlib for JavaScript | MIT License Use of the PhysX SDK requires agreeing to and complying with the NVIDIA 
Copyright (C) 2014-2015 by Vitaly Puzrin Mono.Options | MIT License GameWorks EULA terms accessed via: https://developer.nvidia.com/content/ 
Copyright (C) 2008 Novell (http://www.novell.com) apply-access-nvidia-physx-source-code. (Accessing the EULA requires joining the 
LZ4 - Fast LZ compression algorithm | BSD 2-Clause Licen Copyright (C) 2009 Federico Di Gregorio. GameWorks NVIDIA Developer Program at: https://developer.nvidia.com/programs/ 





Copyright (c) 2011-present Yann Collet Copyright (C) 2012 Xamarin Inc (http://www.xamarin.com) gamedev/register.) 
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Thanks! 





rend aT Tad ៣21៥១! 6 


— DASS 


'arnspinner.de ossforge 








AFTER THIS SLI 


m 





(Olüidefojuljele! 





Inbound 








OQthesecretlak 


'APASPINNeT.Oe OSSTOTQE TA 









" o. 
Evs Zoom Room > 
. 
https://us02web.zoom.us/j/8311128 
Passcode:5/818. 





